diff options
100 files changed, 2129 insertions, 0 deletions
diff --git a/PKGBUILD b/PKGBUILD new file mode 100644 index 0000000..75dae3a --- /dev/null +++ b/PKGBUILD @@ -0,0 +1,17 @@ +# Maintainer: jc_gargma <jc_gargma@iserlohn-fortress.net> + +pkgname=firejail-profiles +pkgver=20200314 +pkgrel=2 +pkgdesc="Additional firejail profiles and locals" +arch=('any') +url="https://library.iserlohn-fortress.net/jc_gargma" +license=('GPLv3') +depends=('firejail' 'hardened-malloc') +source=(profiles.tar.gz) +b2sums=('ecb85604bc8a80a7dcd7ba2a6e900af062f1d10164a583ccf407fc26627f543523db7c1a65a072d61b0626209a124a92ec5b3ec02737742069790a600d849a38') + +package() { + install --directory ${pkgdir}/etc/firejail + cp $srcdir/profiles/* $pkgdir/etc/firejail/ +} diff --git a/profiles/0ad.local b/profiles/0ad.local new file mode 100644 index 0000000..c5e5982 --- /dev/null +++ b/profiles/0ad.local @@ -0,0 +1,3 @@ +include disable-xdg.inc + +private-cache diff --git a/profiles/7kaa.profile b/profiles/7kaa.profile new file mode 100644 index 0000000..d996dfa --- /dev/null +++ b/profiles/7kaa.profile @@ -0,0 +1,16 @@ +# This file is overwritten after every install/update +# Persistent local customizations +include 7kaa.local +# Persistent global definitions +include globals.local + +noblacklist ${HOME}/.local/share/7kfans.com + +mkdir ${HOME}/.local/share/7kfans.com +whitelist ${HOME}/.local/share/7kfans.com + +# private-bin 7kaa + +ignore memory-deny-write-execute + +include generic-game.inc diff --git a/profiles/antichamber.profile b/profiles/antichamber.profile new file mode 100644 index 0000000..876ece3 --- /dev/null +++ b/profiles/antichamber.profile @@ -0,0 +1,12 @@ +# This file is overwritten after every install/update +# Persistent local customizations +include antichamber.local +# Persistent global definitions +include globals.local + +whitelist ${HOME}/games/Antichamber +read-only ${HOME}/games/Antichamber + +ignore noexec ${HOME} + +include generic-game.inc diff --git a/profiles/ark.local b/profiles/ark.local new file mode 100644 index 0000000..86e4edc --- /dev/null +++ b/profiles/ark.local @@ -0,0 +1,5 @@ +net none +no3d +# # seccomp breaks integrated file manager on kde applications +# # due to syscall name_to_handle_at +seccomp !name_to_handle_at diff --git a/profiles/avadon.profile b/profiles/avadon.profile new file mode 100644 index 0000000..133c53a --- /dev/null +++ b/profiles/avadon.profile @@ -0,0 +1,12 @@ +# This file is overwritten after every install/update +# Persistent local customizations +include geneforge.local +# Persistent global definitions +include globals.local + +noblacklist ${HOME}/.local/share/wineprefixes/Avadon +whitelist ${HOME}/.local/share/wineprefixes/Avadon + +ignore memory-deny-write-execute + +include generic-wine-game.inc diff --git a/profiles/avernum.profile b/profiles/avernum.profile new file mode 100644 index 0000000..1d61200 --- /dev/null +++ b/profiles/avernum.profile @@ -0,0 +1,12 @@ +# This file is overwritten after every install/update +# Persistent local customizations +include geneforge.local +# Persistent global definitions +include globals.local + +noblacklist ${HOME}/.local/share/wineprefixes/Avernum +whitelist ${HOME}/.local/share/wineprefixes/Avernum + +ignore memory-deny-write-execute + +include generic-wine-game.inc diff --git a/profiles/baloo_file.local b/profiles/baloo_file.local new file mode 100644 index 0000000..566f96d --- /dev/null +++ b/profiles/baloo_file.local @@ -0,0 +1,4 @@ +ignore noblacklist ${HOME}/.kde/share/config/baloofilerc +ignore noblacklist ${HOME}/.kde/share/config/baloorc +ignore noblacklist ${HOME}/.kde4/share/config/baloofilerc +ignore noblacklist ${HOME}/.kde4/share/config/baloorc diff --git a/profiles/banished.profile b/profiles/banished.profile new file mode 100644 index 0000000..a050eec --- /dev/null +++ b/profiles/banished.profile @@ -0,0 +1,14 @@ +# This file is overwritten after every install/update +# Persistent local customizations +include sanctuaryrpg-black-edition.local +# Persistent global definitions +include globals.local + +noblacklist ${HOME}/.local/share/wineprefixes/Banished +whitelist ${HOME}/.local/share/wineprefixes/Banished + +seccomp !name_to_handle_at + +ignore memory-deny-write-execute + +include generic-wine-game.inc diff --git a/profiles/calligra.local b/profiles/calligra.local new file mode 100644 index 0000000..488fcd2 --- /dev/null +++ b/profiles/calligra.local @@ -0,0 +1,6 @@ +# # ipc-namespace breaks menus +ignore ipc-namespace + +# # seccomp breaks integrated file manager on kde applications +# # due to syscall name_to_handle_at +seccomp !name_to_handle_at diff --git a/profiles/cataclysm-tiles.profile b/profiles/cataclysm-tiles.profile new file mode 100644 index 0000000..36a77a5 --- /dev/null +++ b/profiles/cataclysm-tiles.profile @@ -0,0 +1,4 @@ +# This file is overwritten after every install/update + +# Redirect +include cataclysm.profile diff --git a/profiles/cataclysm.profile b/profiles/cataclysm.profile new file mode 100644 index 0000000..5773161 --- /dev/null +++ b/profiles/cataclysm.profile @@ -0,0 +1,20 @@ +# This file is overwritten after every install/update +# Persistent local customizations +include cataclysm.local +# Persistent global definitions +include globals.local + +noblacklist ${HOME}/.config/cataclysm-dda +noblacklist ${HOME}/.local/share/cataclysm-dda +mkdir ${HOME}/.config/cataclysm-dda +mkdir ${HOME}/.local/share/cataclysm-dda +whitelist ${HOME}/.config/cataclysm-dda +whitelist ${HOME}/.local/share/cataclysm-dda + +seccomp !name_to_handle_at + +private-bin cataclysm,cataclysm-tiles + +ignore memory-deny-write-execute + +include generic-game.inc diff --git a/profiles/curl.local b/profiles/curl.local new file mode 100644 index 0000000..1e31424 --- /dev/null +++ b/profiles/curl.local @@ -0,0 +1 @@ +machine-id diff --git a/profiles/desmume.profile b/profiles/desmume.profile new file mode 100644 index 0000000..3544be3 --- /dev/null +++ b/profiles/desmume.profile @@ -0,0 +1,23 @@ +# This file is overwritten after every install/update +# Persistent local customizations +include desmume.local +# Persistent global definitions +include globals.local + +noblacklist ${HOME}/.config/desmume +noblacklist ${HOME}/games/Emulators/NDSGAMES + +mkdir ${HOME}/.config/desmume +whitelist ${HOME}/.config/desmume +whitelist ${HOME}/games/Emulators/NDSGAMES +read-only ${HOME}/games/Emulators/NDSGAMES +include whitelist-common.inc + +seccomp !name_to_handle_at + +# private-dev breaks joysticks +ignore private-dev + +ignore memory-deny-write-execute + +include generic-game.inc diff --git a/profiles/digikam.local b/profiles/digikam.local new file mode 100644 index 0000000..bf8987a --- /dev/null +++ b/profiles/digikam.local @@ -0,0 +1,10 @@ +ignore noblacklist ${HOME}/.kde/share/apps/digikam +ignore noblacklist ${HOME}/.kde4/share/apps/digikam + +net none +protocol unix +# # seccomp breaks integrated file manager on kde applications +# # due to syscall name_to_handle_at +seccomp !name_to_handle_at + +private-dev diff --git a/profiles/dins-curse.profile b/profiles/dins-curse.profile new file mode 100644 index 0000000..39bbe69 --- /dev/null +++ b/profiles/dins-curse.profile @@ -0,0 +1,18 @@ +# This file is overwritten after every install/update +# Persistent local customizations +include dins-curse.local +# Persistent global definitions +include globals.local + +noblacklist ${HOME}/.local/DinsCurse + +whitelist ${HOME}/games/Dins Curse +read-only ${HOME}/games/Dins Curse +mkdir ${HOME}/.local/DinsCurse +whitelist ${HOME}/.local/DinsCurse + +private-etc asound.conf,group,localtime,machine-id,protocols,pulse,resolv.conf + +ignore noexec ${HOME} + +include generic-game-networked.inc diff --git a/profiles/disable-programs.local b/profiles/disable-programs.local new file mode 100644 index 0000000..0f49812 --- /dev/null +++ b/profiles/disable-programs.local @@ -0,0 +1,66 @@ +blacklist ${HOME}/.aqbanking +blacklist ${HOME}/.cache/kget +blacklist ${HOME}/.cache/kontact +blacklist ${HOME}/.cache/smolbote +blacklist ${HOME}/.config/cataclysm-dda +blacklist ${HOME}/.config/kget_bittorrentfactory.rc +blacklist ${HOME}/.config/kget_metalinkfactory.rc +blacklist ${HOME}/.config/kget_multisegkiofactory.rc +blacklist ${HOME}/.config/kmymoney +blacklist ${HOME}/.config/kmymoneyrc +blacklist ${HOME}/.config/konq_history +blacklist ${HOME}/.config/konquerorrc +blacklist ${HOME}/.config/lgogdownloader +blacklist ${HOME}/.config/iserlohn-fortress.net/nyamp +blacklist ${HOME}/.config/openmw +blacklist ${HOME}/.config/openmw-wizardrc +blacklist ${HOME}/.config/OpenRCT2 +blacklist ${HOME}/.config/Proxy Studios +blacklist ${HOME}/.config/Proxy Studios/Pandora +blacklist ${HOME}/.config/rtv +blacklist ${HOME}/.config/smolbote +blacklist ${HOME}/.config/StardewValley +blacklist ${HOME}/.config/unity3d +blacklist ${HOME}/.config/unity3d/DevespressoGames +blacklist ${HOME}/.config/unity3d/DevespressoGames/VambraceColdSoul +blacklist ${HOME}/.config/unity3d/Dinosaur Polo Club +blacklist ${HOME}/.config/unity3d/Dinosaur Polo Club/Mini Metro +blacklist ${HOME}/.config/unity3d/Milkstone Studios +blacklist ${HOME}/.config/unity3d/Milkstone Studios/Ziggurat +blacklist ${HOME}/.dink +blacklist ${HOME}/.gkrellm2 +blacklist ${HOME}/.local/DinsCurse +blacklist ${HOME}/.local/share/7kfans.com +blacklist ${HOME}/.local/share/Almost Human +blacklist ${HOME}/.local/share/Almost Human/Legend of Grimrock +blacklist ${HOME}/.local/share/cataclysm-dda +blacklist ${HOME}/.local/share/endless-sky +blacklist ${HOME}/.local/share/FasterThanLight +blacklist ${HOME}/.local/share/Goldhawk Interactive +blacklist ${HOME}/.local/share/kaddressbook +blacklist ${HOME}/.local/share/klipper +blacklist ${HOME}/.local/share/kmymoney +blacklist ${HOME}/.local/share/konqueror +blacklist ${HOME}/.local/share/kontact +blacklist ${HOME}/.local/share/korganizer +blacklist ${HOME}/.local/share/maildir +blacklist ${HOME}/.local/share/networkmanagement +blacklist ${HOME}/.local/share/OpenRCT2 +blacklist ${HOME}/.local/share/openmw +blacklist ${HOME}/.local/share/Paradox Interactive +blacklist ${HOME}/.local/share/Paradox Interactive/Imperator +blacklist ${HOME}/.local/share/sddm +blacklist ${HOME}/.local/share/smolbote +blacklist ${HOME}/.local/share/wineprefixes/GeneForge +blacklist ${HOME}/.local/share/wineprefixes/SanctuaryRPG +blacklist ${HOME}/.local/share/wineprefixes/SimCity4 +blacklist ${HOME}/.local/share/wineprefixes/StarCitizen +blacklist ${HOME}/.local/share/wineprefixes/Warframe +blacklist ${HOME}/.mbwarband +blacklist ${HOME}/.moc +blacklist ${HOME}/.renpy +blacklist ${HOME}/.t4-engine +blacklist ${HOME}/applications/tor-browser_en-US +blacklist ${HOME}/Documents/ObjectsInSpace +blacklist ${HOME}/Larian Studios +blacklist ${HOME}/Larian Studios/Divinity Original Sin Enhanced Edition diff --git a/profiles/discord.local b/profiles/discord.local new file mode 100644 index 0000000..76dc0be --- /dev/null +++ b/profiles/discord.local @@ -0,0 +1,13 @@ +noblacklist /opt/discord + +whitelist /opt/discord + +ipc-namespace +# machine-id +ignore noroot +shell none +# # tracelog breaks CEF +# tracelog + +disable-mnt +private-etc asound.conf,fonts,machine-id,pulse,resolv.conf diff --git a/profiles/divinity-original-sin-ee.profile b/profiles/divinity-original-sin-ee.profile new file mode 100644 index 0000000..7b847fd --- /dev/null +++ b/profiles/divinity-original-sin-ee.profile @@ -0,0 +1,22 @@ +# This file is overwritten after every install/update +# Persistent local customizations +include divinity-original-sin-ee.local +# Persistent global definitions +include globals.local + +noblacklist ${HOME}/Larian Studios +noblacklist ${HOME}/Larian Studios/Divinity Original Sin Enhanced Edition + +mkdir ${HOME}/Larian Studios +mkdir ${HOME}/Larian Studios/Divinity Original Sin Enhanced Edition +whitelist ${HOME}/Larian Studios/Divinity Original Sin Enhanced Edition +whitelist ${HOME}/games/Divinity - Original Sin - Extended Edition +#read-only ${HOME}/games/Divinity - Original Sin - Extended Edition + +seccomp !name_to_handle_at + +ignore memory-deny-write-execute + +ignore noexec ${HOME} + +include generic-game-networked.inc diff --git a/profiles/dosbox.local b/profiles/dosbox.local new file mode 100644 index 0000000..fcfbe11 --- /dev/null +++ b/profiles/dosbox.local @@ -0,0 +1,18 @@ +ignore noblacklist ${DOCUMENTS} + +whitelist ${HOME}/.dosbox +whitelist ${HOME}/games/Emulators/DOSGAMES +include whitelist-common.inc + +ignore netfilter +# # nogroups breaks alsa audio when using fluidsynth for midi +ignore nogroups +net none +nodbus +protocol unix + +#Breaks OMF +ignore private-bin + +#Breaks using controllers +ignore private-dev diff --git a/profiles/endless-sky.profile b/profiles/endless-sky.profile new file mode 100644 index 0000000..02df293 --- /dev/null +++ b/profiles/endless-sky.profile @@ -0,0 +1,18 @@ +# This file is overwritten after every install/update +# Persistent local customizations +include include endless-sky.local +# Persistent global definitions +include globals.local + +noblacklist ${HOME}/.local/share/endless-sky + +mkdir ${HOME}/.local/share/endless-sky +whitelist ${HOME}/.local/share/endless-sky + +ignore machine-id + +private-bin endless-sky + +ignore memory-deny-write-execute + +include generic-game.inc diff --git a/profiles/factorio-headless.profile b/profiles/factorio-headless.profile new file mode 100644 index 0000000..eb84d28 --- /dev/null +++ b/profiles/factorio-headless.profile @@ -0,0 +1,9 @@ +# This file is overwritten after every install/update +# Persistent local customizations +include factorio-headless.local +# Persistent global definitions +include globals.local + +ignore memory-deny-write-execute + +include generic-game-networked.inc diff --git a/profiles/factorio.profile b/profiles/factorio.profile new file mode 100644 index 0000000..3b168f4 --- /dev/null +++ b/profiles/factorio.profile @@ -0,0 +1,14 @@ +# This file is overwritten after every install/update +# Persistent local customizations +include factorio.local +# Persistent global definitions +include globals.local + +whitelist ${HOME}/games/Factorio +read-only ${HOME}/games/Factorio +mkdir ${HOME}/.local/share/factorio +whitelist ${HOME}/.local/share/factorio + +ignore memory-deny-write-execute + +include generic-game-networked.inc diff --git a/profiles/fceux.profile b/profiles/fceux.profile new file mode 100644 index 0000000..b63b0b7 --- /dev/null +++ b/profiles/fceux.profile @@ -0,0 +1,23 @@ +# This file is overwritten after every install/update +# Persistent local customizations +include fceux.local +# Persistent global definitions +include globals.local + +noblacklist ${HOME}/.fceux +noblacklist ${HOME}/games/Emulators/NESGAMES + +mkdir ${HOME}/.fceux +whitelist ${HOME}/.fceux +whitelist ${HOME}/games/Emulators/NESGAMES +read-only ${HOME}/games/Emulators/NESGAMES +include whitelist-common.inc + +seccomp !name_to_handle_at + +# private-dev breaks joysticks +ignore private-dev + +ignore memory-deny-write-execute + +include generic-game.inc diff --git a/profiles/firefox-common-addons.local b/profiles/firefox-common-addons.local new file mode 100644 index 0000000..80a4895 --- /dev/null +++ b/profiles/firefox-common-addons.local @@ -0,0 +1,20 @@ +ignore noblacklist ${HOME}/.kde/share/apps/kget +ignore noblacklist ${HOME}/.kde/share/apps/okular +ignore noblacklist ${HOME}/.kde/share/config/kgetrc +ignore noblacklist ${HOME}/.kde/share/config/okularpartrc +ignore noblacklist ${HOME}/.kde/share/config/okularrc +ignore whitelist ${HOME}/.kde/share/apps/kget +ignore whitelist ${HOME}/.kde/share/apps/okular +ignore whitelist ${HOME}/.kde/share/config/kgetrc +ignore whitelist ${HOME}/.kde/share/config/okularpartrc +ignore whitelist ${HOME}/.kde/share/config/okularrc +ignore noblacklist ${HOME}/.kde4/share/apps/kget +ignore noblacklist ${HOME}/.kde4/share/apps/okular +ignore noblacklist ${HOME}/.kde4/share/config/kgetrc +ignore noblacklist ${HOME}/.kde4/share/config/okularpartrc +ignore noblacklist ${HOME}/.kde4/share/config/okularrc +ignore whitelist ${HOME}/.kde4/share/apps/kget +ignore whitelist ${HOME}/.kde4/share/apps/okular +ignore whitelist ${HOME}/.kde4/share/config/kgetrc +ignore whitelist ${HOME}/.kde4/share/config/okularpartrc +ignore whitelist ${HOME}/.kde4/share/config/okularrc diff --git a/profiles/firefox-common.local b/profiles/firefox-common.local new file mode 100644 index 0000000..0441b7e --- /dev/null +++ b/profiles/firefox-common.local @@ -0,0 +1,12 @@ +include disable-passwdmgr.inc +include disable-xdg.inc +ignore noblacklist ${HOME}/.pki +ignore noblacklist ${HOME}/.local/share/pki +ignore mkdir ${HOME}/.pki +ignore mkdir ${HOME}/.local/share/pki +ignore whitelist ${HOME}/.pki +ignore whitelist ${HOME}/.local/share/pki + +protocol unix,inet,inet6 + +private-cache diff --git a/profiles/firefox.local b/profiles/firefox.local new file mode 100644 index 0000000..7c26bed --- /dev/null +++ b/profiles/firefox.local @@ -0,0 +1,35 @@ +ignore noblacklist ${HOME}/.cache/mozilla +ignore mkdir ${HOME}/.cache/mozilla/firefox +ignore whitelist ${HOME}/.cache/mozilla/firefox + +# # Block system extensions +blacklist /usr/lib/firefox/browser/features + +# # Prevent UUID generation +blacklist ${HOME}/.mozilla/firefox/*/datareporting + +# # machine-id without private-etc/pulse causes pulseaudio segfaults +# # machine-id breaks audio +# machine-id + +private-bin firefox,bash + +# # private-etc requires machine-id or pulse else pulseaudio segafaults +# # private-etc requires both machine-id and pulse for pulseaudio support +# # private-etc requires machine-id for alsa audio support +# Use for pulseaudio +# private-etc asound.conf,machine-id,pulse,resolv.conf +# Use for alsa +# private-etc asound.conf,group,machine-id,resolv.conf +# Use for broken audio +# private-etc asound.conf,pulse,resolv.conf +private-etc resolv.conf + + +# # Use for GTK_USE_PORTAL=1 support on KDE +#private-etc machine-id,passwd,resolv.conf +#ignore nodbus +#ignore noroot + +# # Use with hardened-malloc package +env LD_PRELOAD=/usr/lib/libhardened_malloc.so diff --git a/profiles/freeciv-qt.profile b/profiles/freeciv-qt.profile new file mode 100644 index 0000000..e1d7a5a --- /dev/null +++ b/profiles/freeciv-qt.profile @@ -0,0 +1,35 @@ +# Firejail profile for freeciv-qt +# Description: A multi-player strategy game, with Qt GUI +# This file is overwritten after every install/update +# Persistent local customizations +include freeciv-qt.local +# Persistent global definitions +include globals.local + +# No longer required? Test this. +noblacklist ${PATH}/lua* +noblacklist /usr/lib/lua +noblacklist /usr/include/lua* +noblacklist /usr/share/lua + +noblacklist ${HOME}/.freeciv + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-passwdmgr.inc +include disable-programs.inc +include disable-xdg.inc + +# # alsa audio will work with ipc-namespace, +# # but it hogs the alsa device from other applications +ignore ipc-namespace + +private-bin freeciv-qt,freeciv-mp-qt,freeciv-server,freeciv-manual,freeciv-ruleedit +private-etc asound.conf,freeciv,group,localtime,machine-id,pulse,resolv.conf + +# Breaks freeciv-qt +ignore memory-deny-write-execute + +include freeciv.profile diff --git a/profiles/freedink.profile b/profiles/freedink.profile new file mode 100644 index 0000000..cc501e4 --- /dev/null +++ b/profiles/freedink.profile @@ -0,0 +1,16 @@ +# This file is overwritten after every install/update +# Persistent local customizations +include freedink.local +# Persistent global definitions +include globals.local + +noblacklist ${HOME}/.dink + +mkdir ${HOME}/.dink +whitelist ${HOME}/.dink + +seccomp !name_to_handle_at + +ignore memory-deny-write-execute + +include generic-game.inc diff --git a/profiles/freeorion.profile b/profiles/freeorion.profile new file mode 100644 index 0000000..6e4920c --- /dev/null +++ b/profiles/freeorion.profile @@ -0,0 +1,18 @@ +# This file is overwritten after every install/update +# Persistent local customizations +include freeorion.local +# Persistent global definitions +include globals.local + +noblacklist /usr/lib/python2* +noblacklist ${HOME}/.config/freeorion +noblacklist ${HOME}/.local/share/freeorion + +mkdir ${HOME}/.config/freeorion +whitelist ${HOME}/.config/freeorion +mkdir ${HOME}/.local/share/freeorion +whitelist ${HOME}/.local/share/freeorion + +ignore memory-deny-write-execute + +include generic-game-networked.inc diff --git a/profiles/ftl-advanced-edition.profile b/profiles/ftl-advanced-edition.profile new file mode 100644 index 0000000..a47939c --- /dev/null +++ b/profiles/ftl-advanced-edition.profile @@ -0,0 +1,18 @@ +# This file is overwritten after every install/update +# Persistent local customizations +include ftl-advanced-edition.local +# Persistent global definitions +include globals.local + +noblacklist ${HOME}/.local/share/FasterThanLight + +mkdir ${HOME}/.local/share/FasterThanLight +whitelist ${HOME}/.local/share/FasterThanLight +whitelist ${HOME}/games/FTL - Advanced Edition +read-only ${HOME}/games/FTL - Advanced Edition + +ignore memory-deny-write-execute + +ignore noexec ${HOME} + +include generic-game.inc diff --git a/profiles/geneforge.profile b/profiles/geneforge.profile new file mode 100644 index 0000000..7982b89 --- /dev/null +++ b/profiles/geneforge.profile @@ -0,0 +1,12 @@ +# This file is overwritten after every install/update +# Persistent local customizations +include geneforge.local +# Persistent global definitions +include globals.local + +noblacklist ${HOME}/.local/share/wineprefixes/GeneForge +whitelist ${HOME}/.local/share/wineprefixes/GeneForge + +ignore memory-deny-write-execute + +include generic-wine-game.inc diff --git a/profiles/generic-game-networked.inc b/profiles/generic-game-networked.inc new file mode 100644 index 0000000..39d7199 --- /dev/null +++ b/profiles/generic-game-networked.inc @@ -0,0 +1,11 @@ +# This file is overwritten after every install/update +# Persistent local customizations +include generic-game-networked.local + +ignore net +netfilter +protocol unix,inet,inet6 + +private-etc asound.conf,group,localtime,machine-id,pulse,resolv.conf + +include generic-game.inc diff --git a/profiles/generic-game.inc b/profiles/generic-game.inc new file mode 100644 index 0000000..d28b734 --- /dev/null +++ b/profiles/generic-game.inc @@ -0,0 +1,41 @@ +# This file is overwritten after every install/update +# Persistent local customizations +include generic-game.local + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-passwdmgr.inc +include disable-programs.inc +include disable-xdg.inc + + +caps.drop all +# # alsa audio will work with ipc-namespace, +# # but it hogs the alsa device from other applications +# ipc-namespace +machine-id +net none +# # no3d breaks gpu rendering +# no3d +nodbus +nodvd +nogroups +nonewprivs +noroot +notv +nou2f +novideo +protocol unix +seccomp +shell none +tracelog + +disable-mnt +private-cache +private-dev +private-etc asound.conf,group,localtime,machine-id,pulse +private-tmp + +memory-deny-write-execute diff --git a/profiles/generic-wine-game-networked.inc b/profiles/generic-wine-game-networked.inc new file mode 100644 index 0000000..12c5c7d --- /dev/null +++ b/profiles/generic-wine-game-networked.inc @@ -0,0 +1,12 @@ +# This file is overwritten after every install/update +# Persistent local customizations +include generic-wine-game-networked.local + +ignore net +netfilter +protocol unix,inet,inet6 + +# wine games require passwd +private-etc asound.conf,group,localtime,machine-id,passwd,pulse,resolv.conf + +include generic-wine-game.inc diff --git a/profiles/generic-wine-game.inc b/profiles/generic-wine-game.inc new file mode 100644 index 0000000..62d8967 --- /dev/null +++ b/profiles/generic-wine-game.inc @@ -0,0 +1,55 @@ +# This file is overwritten after every install/update +# Persistent local customizations +include generic-wine-game.local + +noblacklist ${HOME}/.wine +noblacklist ${HOME}/.config/q4wine +noblacklist ${HOME}/.local/share/wineprefixes + +# with >=llvm-4 mesa drivers need llvm stuff +noblacklist /usr/lib/llvm* + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-passwdmgr.inc +include disable-programs.inc +include disable-xdg.inc + +mkdir ${HOME}/.wine +mkdir ${HOME}/.config/q4wine +mkdir ${HOME}/.local/share/wineprefixes +whitelist ${HOME}/.wine +whitelist ${HOME}/.config/q4wine +# whitelist ${HOME}/.local/share/wineprefixes/bottle-name-here +whitelist ${HOME}/.local/share/wineprefixes/zz_c + +caps.drop all +# # alsa audio will work with ipc-namespace, +# # but it hogs the alsa device from other applications +# ipc-namespace +machine-id +net none +# # no3d breaks gpu rendering +# no3d +nodbus +nodvd +nogroups +nonewprivs +noroot +notv +nou2f +novideo +protocol unix +seccomp +shell none +tracelog + +disable-mnt +private-dev +# wine games require passwd +private-etc asound.conf,group,localtime,machine-id,passwd,pulse +private-tmp + +memory-deny-write-execute diff --git a/profiles/git.local b/profiles/git.local new file mode 100644 index 0000000..0d64d0d --- /dev/null +++ b/profiles/git.local @@ -0,0 +1,24 @@ +whitelist ${HOME}/.config/git +whitelist ${HOME}/.config/nano +whitelist ${HOME}/.emacs +whitelist ${HOME}/.emacs.d +whitelist ${HOME}/.gitconfig +whitelist ${HOME}/.git-credentials +#whitelist ${HOME}/.gnupg +#read-only ${HOME}/.gnupg +whitelist ${HOME}/.nanorc +read-only ${HOME}/.nanorc +whitelist ${HOME}/.oh-my-zsh +#whitelist ${HOME}/.ssh +#read-only ${HOME}/.ssh +whitelist ${HOME}/.vim +whitelist ${HOME}/.viminfo +whitelist ${HOME}/build +whitelist ${HOME}/workspace + + + + +protocol inet,inet6 + +private-bin git,less diff --git a/profiles/gwenview.local b/profiles/gwenview.local new file mode 100644 index 0000000..1c82bfd --- /dev/null +++ b/profiles/gwenview.local @@ -0,0 +1,11 @@ +ignore noblacklist ${HOME}/.kde/share/apps/gwenview +ignore noblacklist ${HOME}/.kde/share/config/gwenviewrc +ignore noblacklist ${HOME}/.kde4/share/apps/gwenview +ignore noblacklist ${HOME}/.kde4/share/config/gwenviewrc + +net none +ignore netfilter +nodbus +# # seccomp breaks integrated file manager on kde applications +# # due to syscall name_to_handle_at +seccomp !name_to_handle_at diff --git a/profiles/hg.profile b/profiles/hg.profile new file mode 100644 index 0000000..ac5943d --- /dev/null +++ b/profiles/hg.profile @@ -0,0 +1,59 @@ +# Firejail profile for hg +# This file is overwritten after every install/update +quiet +# Persistent local customizations +include hg.local +# Persistent global definitions +include globals.local + +noblacklist ${HOME}/.config/nano +noblacklist ${HOME}/.emacs +noblacklist ${HOME}/.emacs.d +noblacklist ${HOME}/.hgrc +#noblacklist ${HOME}/.gnupg +noblacklist ${HOME}/.nanorc +noblacklist ${HOME}/.oh-my-zsh +#noblacklist ${HOME}/.ssh +noblacklist ${HOME}/.vim +noblacklist ${HOME}/.viminfo + +include disable-common.inc +include disable-passwdmgr.inc +include disable-programs.inc + +blacklist /tmp/.X11-unix + +whitelist ${HOME}/.config/nano +whitelist ${HOME}/.emacs +whitelist ${HOME}/.emacs.d +whitelist ${HOME}/.hgrc +#whitelist ${HOME}/.gnupg +#read-only ${HOME}/.gnupg +whitelist ${HOME}/.nanorc +read-only ${HOME}/.nanorc +whitelist ${HOME}/.oh-my-zsh +#whitelist ${HOME}/.ssh +#read-only ${HOME}/.ssh +whitelist ${HOME}/.vim +whitelist ${HOME}/.viminfo +whitelist ${HOME}/build +whitelist ${HOME}/workspace + +caps.drop all +machine-id +netfilter +no3d +nodvd +nogroups +nonewprivs +noroot +nosound +notv +novideo +protocol inet,inet6 +#protocol unix,inet,inet6 +seccomp +shell none + +private-bin hg,python2 +private-dev diff --git a/profiles/imperator-rome.profile b/profiles/imperator-rome.profile new file mode 100644 index 0000000..8732cb9 --- /dev/null +++ b/profiles/imperator-rome.profile @@ -0,0 +1,22 @@ +# This file is overwritten after every install/update +# Persistent local customizations +include imperator-rome.local +# Persistent global definitions +include globals.local + +noblacklist ${HOME}/games/Imperator - Rome +noblacklist ${HOME}/.local/share/Paradox Interactive/Imperator + +whitelist ${HOME}/games/Imperator - Rome +read-only ${HOME}/games/Imperator - Rome +mkdir ${HOME}/.local/share/Paradox Interactive +mkdir ${HOME}/.local/share/Paradox Interactive/Imperator +whitelist ${HOME}/.local/share/Paradox Interactive/Imperator + +seccomp !name_to_handle_at + +ignore memory-deny-write-execute + +private-etc asound.conf,group,localtime,machine-id,passwd,pulse + +include generic-game.inc diff --git a/profiles/julius-game.profile b/profiles/julius-game.profile new file mode 100644 index 0000000..f5498c6 --- /dev/null +++ b/profiles/julius-game.profile @@ -0,0 +1,14 @@ +# This file is overwritten after every install/update +# Persistent local customizations +include julius-game.local +# Persistent global definitions +include globals.local + +whitelist ${HOME}/games/Caesar III +whitelist ${HOME}/.local/share/bvschaik/julius + +ignore memory-deny-write-execute + +ignore noexec ${HOME} + +include generic-game.inc diff --git a/profiles/k3b.local b/profiles/k3b.local new file mode 100644 index 0000000..fa25e5e --- /dev/null +++ b/profiles/k3b.local @@ -0,0 +1,14 @@ +ignore noblacklist ${HOME}/.kde/share/config/k3brc +ignore noblacklist ${HOME}/.kde4/share/config/k3brc + +whitelist ${HOME}/.config/k3brc +whitelist ${HOME}/.cddb +whitelist ${HOME}/ISOs +whitelist ${MUSIC} +include whitelist-common.inc + +# # seccomp breaks integrated file manager on kde applications +# # due to syscall name_to_handle_at +seccomp !name_to_handle_at + +private-tmp diff --git a/profiles/kaffeine.local b/profiles/kaffeine.local new file mode 100644 index 0000000..c65b2a6 --- /dev/null +++ b/profiles/kaffeine.local @@ -0,0 +1,4 @@ +ignore noblacklist ${HOME}/.kde/share/apps/kaffeine +ignore noblacklist ${HOME}/.kde/share/config/kaffeinerc +ignore noblacklist ${HOME}/.kde4/share/apps/kaffeine +ignore noblacklist ${HOME}/.kde4/share/config/kaffeinerc diff --git a/profiles/karbon.profile b/profiles/karbon.profile new file mode 100644 index 0000000..330753c --- /dev/null +++ b/profiles/karbon.profile @@ -0,0 +1,53 @@ +# Firejail profile for karbon +# This file is overwritten after every install/update +# Persistent local customizations +include karbon.local +# Persistent global definitions +include globals.local + +# Breaks opening svg files +ignore noexec ${HOME} + +noblacklist ${HOME}/.config/karbonrc +noblacklist ${HOME}/.local/share/karbon +noblacklist ${DOCUMENTS} +noblacklist ${PICTURES} + +# Allow python (blacklisted by disable-interpreters.inc) +noblacklist ${PATH}/python2* +noblacklist ${PATH}/python3* +noblacklist /usr/lib/python2* +noblacklist /usr/lib/python3* + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-passwdmgr.inc +include disable-programs.inc +include disable-xdg.inc + +apparmor +caps.drop all +# # ipc-namespace breaks menus +ignore ipc-namespace +# net none +netfilter +# nodbus +nodvd +nogroups +nonewprivs +noroot +nosound +notv +nou2f +novideo +protocol unix +# # seccomp breaks integrated file manager on kde applications +# # due to syscall name_to_handle_at +seccomp !name_to_handle_at +shell none + +private-cache +private-dev +private-tmp diff --git a/profiles/kate.local b/profiles/kate.local new file mode 100644 index 0000000..6332dc5 --- /dev/null +++ b/profiles/kate.local @@ -0,0 +1,5 @@ +net none + +# # seccomp breaks integrated file manager on kde applications +# # due to syscall name_to_handle_at +seccomp !name_to_handle_at diff --git a/profiles/kcalc.local b/profiles/kcalc.local new file mode 100644 index 0000000..f914b59 --- /dev/null +++ b/profiles/kcalc.local @@ -0,0 +1,7 @@ +ignore mkfile ${HOME}/.kde/share/config/kcalcrc +ignore whitelist ${HOME}/.kde/share/config/kcalcrc +ignore mkfile ${HOME}/.kde4/share/config/kcalcrc +ignore whitelist ${HOME}/.kde4/share/config/kcalcrc + +# # no3d breaks gpu accelerated rendering +ignore no3d diff --git a/profiles/keepassxc.local b/profiles/keepassxc.local new file mode 100644 index 0000000..d8b7fd1 --- /dev/null +++ b/profiles/keepassxc.local @@ -0,0 +1,28 @@ +ignore noblacklist ${HOME}/.mozilla +ignore noblacklist ${DOCUMENTS} + +whitelist ${HOME}/.config/keepassxc +whitelist ${HOME}/.config/keepassxcrc +include whitelist-common.inc + +# # no3d breaks decryption for some reason +ignore no3d + +# # nodbus breaks systray support +ignore nodbus + +# # machine-id and net=none breaks systray support with openrc/eudev +ignore machine-id +ignore net +netfilter +protocol unix + +# # seccomp breaks integrated file manager on kde applications +# # due to syscall name_to_handle_at +seccomp !name_to_handle_at + +tracelog + +disable-mnt +private-bin keepassxc,dbus-launch +private-etc fonts,ld.so.cache,localtime,machine-id,passwd diff --git a/profiles/kget.local b/profiles/kget.local new file mode 100644 index 0000000..0ac7a0a --- /dev/null +++ b/profiles/kget.local @@ -0,0 +1,41 @@ +ignore noblacklist ${HOME}/.kde/share/apps/kget +ignore noblacklist ${HOME}/.kde/share/config/kgetrc +ignore noblacklist ${HOME}/.kde4/share/apps/kget +ignore noblacklist ${HOME}/.kde4/share/config/kgetrc +ignore read-only ${HOME}/.cache/ksycoca5_* + +noblacklist ${HOME}/.config/kget_bittorrentfactory.rc +noblacklist ${HOME}/.config/kget_metalinkfactory.rc +noblacklist ${HOME}/.config/kget_multisegkiofactory.rc +noblacklist ${VIDEOS} + +include disable-xdg.inc + +whitelist ${DOWNLOADS} +whitelist ${VIDEOS} +whitelist ${HOME}/ISOs +# # whitelist entire .config as kde workaround +whitelist ${HOME}/.config +whitelist ${HOME}/.config/kgetrc +whitelist ${HOME}/.config/kget_bittorrentfactory.rc +whitelist ${HOME}/.config/kget_metalinkfactory.rc +whitelist ${HOME}/.config/kget_multisegkiofactory.rc +whitelist ${HOME}/.local/share/kget +include whitelist-common.inc + +# ipc-namespace +# # no3d breaks gpu accelerated rendering +ignore no3d +# # nodbus breaks systray support +ignore nodbus +# machine-id +protocol unix,inet,netlink +# # seccomp breaks integrated file manager on kde applications +# # due to syscall name_to_handle_at +seccomp !name_to_handle_at +tracelog + +disable-mnt +private-bin bash,dbus-launch,kget,kdeinit5 +private-cache +private-etc ca-certificates,fonts,localtime,machine-id,passwd,resolv.conf,ssl,xdg diff --git a/profiles/kmymoney.profile b/profiles/kmymoney.profile new file mode 100644 index 0000000..1e3b266 --- /dev/null +++ b/profiles/kmymoney.profile @@ -0,0 +1,64 @@ +# This file is overwritten after every install/update +# Persistent local customizations +include kmymoney.local +# Persistent global definitions +include globals.local + +noblacklist ${HOME}/.aqbanking +noblacklist ${HOME}/.config/kmymoneyrc +noblacklist ${HOME}/.config/kmymoney +noblacklist ${HOME}/.local/share/kmymoney + + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-passwdmgr.inc +include disable-programs.inc + +mkdir ${HOME}/.aqbanking +mkfile ${HOME}/.config/kmymoneyrc +mkdir ${HOME}/.config/kmymoney +mkdir ${HOME}/.local/share/kmymoney + +whitelist ${HOME}/.aqbanking +# # whitelist entire .config as kde workaround +whitelist ${HOME}/.config +whitelist ${HOME}/.config/kmymoneyrc +whitelist ${HOME}/.config/kmymoney +whitelist ${HOME}/.local/share/kmymoney + +include whitelist-common.inc +include whitelist-var-common.inc + +caps.drop all +ipc-namespace +machine-id +net none +netfilter +# # no3d breaks gpu accelerated rendering +# no3d +nodbus +nodvd +nogroups +nonewprivs +noroot +nosound +notv +nou2f +novideo +protocol unix +# # seccomp breaks integrated file manager on kde applications +# # due to syscall name_to_handle_at +seccomp !name_to_handle_at +shell none +tracelog + +disable-mnt +private-bin bash,kmymoney +private-cache +private-dev +private-etc fonts,localtime +private-tmp + +# memory-deny-write-execute diff --git a/profiles/konqueror.profile b/profiles/konqueror.profile new file mode 100644 index 0000000..5739120 --- /dev/null +++ b/profiles/konqueror.profile @@ -0,0 +1,72 @@ +# This file is overwritten after every install/update +# Persistent local customizations +include konqueror.local +# Persistent global definitions +include globals.local + +#noblacklist ${HOME}/.cache/konqueror +#noblacklist ${HOME}/.cache/kget +noblacklist ${HOME}/.config/konquerorrc +noblacklist ${HOME}/.config/konq_history +noblacklist ${HOME}/.config/kcmshell5rc +noblacklist ${HOME}/.config/kgetrc +noblacklist ${HOME}/.config/kget_bittorrentfactory.rc +noblacklist ${HOME}/.config/kget_metalinkfactory.rc +noblacklist ${HOME}/.config/kget_multisegkiofactory.rc +noblacklist ${HOME}/.local/share/konqueror +noblacklist ${HOME}/.local/share/kget + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-passwdmgr.inc +include disable-programs.inc +include disable-xdg.inc + +# whitelisting breaks writing to konquerorrc +whitelist ${DOWNLOADS} +#whitelist ${HOME}/build/expansion +# # Workaround for failing to write to konquerorrc +whitelist ${HOME}/.config +whitelist ${HOME}/.config/konquerorrc +whitelist ${HOME}/.config/konq_history +whitelist ${HOME}/.config/kgetrc +whitelist ${HOME}/.config/kget_bittorrentfactory.rc +whitelist ${HOME}/.config/kget_metalinkfactory.rc +whitelist ${HOME}/.config/kget_multisegkiofactory.rc +whitelist ${HOME}/.local/share/konqueror +whitelist ${HOME}/.local/share/kget +include whitelist-common.inc + +caps.drop all +# # alsa audio will work with ipc-namespace, +# # but it hogs the alsa device from other applications +ignore ipc-namespace +ignore machine-id +netfilter +ignore no3d +ignore nodbus +nodvd +nogroups +nonewprivs +noroot +notv +nou2f +protocol unix,inet,inet6,netlink +# # seccomp breaks integrated file manager on kde applications +# # due to syscall name_to_handle_at +seccomp !name_to_handle_at +shell none +tracelog + +disable-mnt +private-bin konqueror,bash,kget,kcmshell5,dbus-launch +private-cache +private-dev +private-etc asound.conf,ca-certificates,group,machine-id,passwd,resolv.conf,ssl +# private-tmp breaks kget integration +# private-tmp +ignore private-tmp + +ignore memory-deny-write-execute diff --git a/profiles/konversation.local b/profiles/konversation.local new file mode 100644 index 0000000..26bceed --- /dev/null +++ b/profiles/konversation.local @@ -0,0 +1,18 @@ +ignore noblacklist ${HOME}/.kde/share/config/konversationrc +ignore noblacklist ${HOME}/.kde4/share/config/konversationrc + +noblacklist ${HOME}/.local/share/konversation + +include whitelist-common.inc + +whitelist ${HOME}/.config +whitelist ${HOME}/.config/konversationrc +whitelist ${HOME}/.local/share/konversation + +# ipc-namespace +machine-id +nodbus +protocol unix,inet + +private-bin konversation,keditbookmarks +private-etc asound.conf,group,machine-id,pulse,resolv.conf diff --git a/profiles/krita.local b/profiles/krita.local new file mode 100644 index 0000000..cccb449 --- /dev/null +++ b/profiles/krita.local @@ -0,0 +1,11 @@ +# # None of that pip garbage +ignore noblacklist /usr/local/lib/python2* +ignore noblacklist /usr/local/lib/python3* + +# # ipc-namespace breaks menus +ignore ipc-namespace +net none +ignore netfilter +# # seccomp breaks integrated file manager on kde applications +# # due to syscall name_to_handle_at +seccomp !name_to_handle_at diff --git a/profiles/krunner.local b/profiles/krunner.local new file mode 100644 index 0000000..3e59eec --- /dev/null +++ b/profiles/krunner.local @@ -0,0 +1,2 @@ +ignore noblacklist ${HOME}/.kde/share/config/krunnerrc +ignore noblacklist ${HOME}/.kde4/share/config/krunnerrc diff --git a/profiles/ktorrent.local b/profiles/ktorrent.local new file mode 100644 index 0000000..3a22321 --- /dev/null +++ b/profiles/ktorrent.local @@ -0,0 +1,33 @@ +ignore noblacklist ${HOME}/.kde/share/apps/ktorrent +ignore noblacklist ${HOME}/.kde/share/config/ktorrentrc +ignore noblacklist ${HOME}/.kde4/share/apps/ktorrent +ignore noblacklist ${HOME}/.kde4/share/config/ktorrentrc +ignore mkdir ${HOME}/.kde/share/apps/ktorrent +ignore mkdir ${HOME}/.kde4/share/apps/ktorrent +ignore mkfile ${HOME}/.kde/share/config/ktorrentrc +ignore mkfile ${HOME}/.kde4/share/config/ktorrentrc +ignore whitelist ${DOWNLOADS} +ignore whitelist ${HOME}/.kde/share/apps/ktorrent +ignore whitelist ${HOME}/.kde/share/config/ktorrentrc +ignore whitelist ${HOME}/.kde4/share/apps/ktorrent +ignore whitelist ${HOME}/.kde4/share/config/ktorrentrc + +include disable-xdg.inc + +# # whitelist entire .config as kde workaround +whitelist ${HOME}/.config +whitelist ${HOME}/torrents + +ignore nodbus +# # machine-id breaks systray support +ignore machine-id +protocol unix,inet,netlink +# # seccomp breaks integrated file manager on kde applications +# # due to syscall name_to_handle_at +seccomp !name_to_handle_at +tracelog + +# # dbus-launch required for systray support +private-bin ktorrent,dbus-launch,kdeinit5 +private-cache +private-etc ca-certificates,fonts,machine-id,passwd,resolv.conf,ssl,xdg diff --git a/profiles/legend-of-grimrock.profile b/profiles/legend-of-grimrock.profile new file mode 100644 index 0000000..7921296 --- /dev/null +++ b/profiles/legend-of-grimrock.profile @@ -0,0 +1,18 @@ +# This file is overwritten after every install/update +# Persistent local customizations +include legend-of-grimrock.local +# Persistent global definitions +include globals.local + +noblacklist ${HOME}/.local/share/Almost Human +noblacklist ${HOME}/.local/share/Almost Human/Legend of Grimrock + +mkdir ${HOME}/.local/share/Almost Human +mkdir ${HOME}/.local/share/Almost Human/Legend of Grimrock +whitelist ${HOME}/.local/share/Almost Human/Legend of Grimrock +whitelist ${HOME}/games/Legend of Grimrock +read-only ${HOME}/games/Legend of Grimrock + +ignore memory-deny-write-execute + +include generic-game.inc diff --git a/profiles/lgogdownloader.profile b/profiles/lgogdownloader.profile new file mode 100644 index 0000000..a0eadea --- /dev/null +++ b/profiles/lgogdownloader.profile @@ -0,0 +1,51 @@ +# This file is overwritten after every install/update +# Persistent local customizations +include lgogdownloader.local +# Persistent global definitions +include globals.local + +noblacklist ${HOME}/.config/lgogdownloader +noblacklist ${HOME}/packages/games/GOGLibrary + +#blacklist ${PATH}/perl +#blacklist /usr/lib/perl* +#blacklist /usr/share/perl* + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-passwdmgr.inc +include disable-programs.inc + +blacklist /tmp/.X11-unix + +mkdir ${HOME}/.config/lgogdownloader +mkdir ${HOME}/packages +mkdir ${HOME}/packages/games +mkdir ${HOME}/packages/games/GOGLibrary +whitelist ${HOME}/.config/lgogdownloader +whitelist ${HOME}/packages/games/GOGLibrary + +caps.drop all +ipc-namespace +netfilter +no3d +nodbus +nodvd +nogroups +nonewprivs +noroot +nosound +notv +novideo +protocol inet,inet6 +seccomp +shell none +tracelog + +disable-mnt +private-bin lgogdownloader +private-dev +private-etc ca-certificates,pki,resolv.conf,ssl +private-tmp diff --git a/profiles/makepkg.local b/profiles/makepkg.local new file mode 100644 index 0000000..d140676 --- /dev/null +++ b/profiles/makepkg.local @@ -0,0 +1,3 @@ +whitelist ${HOME}/build +whitelist ${HOME}/.gnupg +whitelist /tmp/makepkg diff --git a/profiles/mgba-qt.profile b/profiles/mgba-qt.profile new file mode 100644 index 0000000..29ba4c5 --- /dev/null +++ b/profiles/mgba-qt.profile @@ -0,0 +1,4 @@ +# This file is overwritten after every install/update + +# Redirect +include mgba.profile diff --git a/profiles/mgba.profile b/profiles/mgba.profile new file mode 100644 index 0000000..178eb5e --- /dev/null +++ b/profiles/mgba.profile @@ -0,0 +1,26 @@ +# This file is overwritten after every install/update +# Persistent local customizations +include mgba.local +# Persistent global definitions +include globals.local + +noblacklist ${HOME}/.config/mgba +noblacklist ${HOME}/.local/share/mgba +noblacklist ${HOME}/games/Emulators/GBAGAMES + +mkdir ${HOME}/.config/mgba +mkdir ${HOME}/.local/share/mgba +whitelist ${HOME}/.config/mgba +whitelist ${HOME}/.local/share/mgba +whitelist ${HOME}/games/Emulators/GBAGAMES +read-only ${HOME}/games/Emulators/GBAGAMES +include whitelist-common.inc + +seccomp !name_to_handle_at + +# private-dev breaks joysticks +ignore private-dev + +ignore memory-deny-write-execute + +include generic-game.inc diff --git a/profiles/mini-metro.profile b/profiles/mini-metro.profile new file mode 100644 index 0000000..4a9f247 --- /dev/null +++ b/profiles/mini-metro.profile @@ -0,0 +1,25 @@ +# This file is overwritten after every install/update +# Persistent local customizations +include mini-metro.local +# Persistent global definitions +include globals.local + +noblacklist ${HOME}/.config/unity3d +noblacklist ${HOME}/.config/unity3d/Dinosaur Polo Club +noblacklist ${HOME}/.config/unity3d/Dinosaur Polo Club/Mini Metro + +mkdir ${HOME}/.config/unity3d +mkdir ${HOME}/.config/unity3d/Dinosaur Polo Club +mkdir ${HOME}/.config/unity3d/Dinosaur Polo Club/Mini Metro +whitelist ${HOME}/.config/unity3d/Dinosaur Polo Club/Mini Metro +whitelist ${HOME}/games/Mini Metro +read-only ${HOME}/games/Mini Metro + +protocol unix,netlink +seccomp !name_to_handle_at + +ignore memory-deny-write-execute + +ignore noexec ${HOME} + +include generic-game.inc diff --git a/profiles/mocp.profile b/profiles/mocp.profile new file mode 100644 index 0000000..84ac1d0 --- /dev/null +++ b/profiles/mocp.profile @@ -0,0 +1,51 @@ +# This file is overwritten after every install/update +# Persistent local customizations +include mocp.local +# Persistent global definitions +include globals.local + +noblacklist ${HOME}/.moc +noblacklist ${MUSIC} + +blacklist /tmp/.X11-unix + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-passwdmgr.inc +include disable-programs.inc +include disable-xdg.inc + +whitelist ${HOME}/.moc +whitelist ${MUSIC} +read-only ${MUSIC} + +caps.drop all +# # alsa audio will work with ipc-namespace, +# # but it hogs the alsa device from other applications +ignore ipc-namespace +machine-id +net none +no3d +nodbus +nodvd +nogroups +nonewprivs +noroot +notv +nou2f +novideo +protocol unix +seccomp +shell none +tracelog + +disable-mnt +private-bin moc,mocp +private-cache +private-dev +private-etc asound.conf,group,localtime,machine-id +private-tmp + +memory-deny-write-execute diff --git a/profiles/mount-and-blade-warband.profile b/profiles/mount-and-blade-warband.profile new file mode 100644 index 0000000..5a57141 --- /dev/null +++ b/profiles/mount-and-blade-warband.profile @@ -0,0 +1,20 @@ +# This file is overwritten after every install/update +# Persistent local customizations +include mount-and-blade-warband.local +# Persistent global definitions +include globals.local + +noblacklist ${HOME}/.mbwarband + +whitelist ${HOME}/games/Mount and Blade - Warband +read-only ${HOME}/games/Mount and Blade - Warband +mkdir ${HOME}/.mbwarband +whitelist ${HOME}/.mbwarband + +seccomp !name_to_handle_at + +ignore memory-deny-write-execute + +ignore noexec ${HOME} + +include generic-game.inc diff --git a/profiles/mupen64plus.local b/profiles/mupen64plus.local new file mode 100644 index 0000000..4c42d1e --- /dev/null +++ b/profiles/mupen64plus.local @@ -0,0 +1,2 @@ +whitelist ${HOME}/games/Emulators/N64GAMES +read-only ${HOME}/games/Emulators/N64GAMES diff --git a/profiles/newsboat.local b/profiles/newsboat.local new file mode 100644 index 0000000..a08abad --- /dev/null +++ b/profiles/newsboat.local @@ -0,0 +1,7 @@ +blacklist /tmp/.X11-unix + +#protocol unix,inet,inet6 +tracelog + +private-bin newsboat,curl +private-etc ca-certificates,resolv.conf,ssl diff --git a/profiles/nyamp.profile b/profiles/nyamp.profile new file mode 100644 index 0000000..876b869 --- /dev/null +++ b/profiles/nyamp.profile @@ -0,0 +1,52 @@ +# This file is overwritten after every install/update +# Persistent local customizations +include nyamp.local +# Persistent global definitions +include globals.local + +noblacklist ${HOME}/.config/iserlohn-fortress.net/nyamp +noblacklist ${MUSIC} + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-passwdmgr.inc +include disable-programs.inc +include disable-xdg.inc + +mkdir ${HOME}/.config/iserlohn-fortress.net +mkdir ${HOME}/.config/iserlohn-fortress.net/nyamp + +whitelist ${HOME}/.config/iserlohn-fortress.net/nyamp +whitelist ${MUSIC} +read-only ${MUSIC} +include whitelist-common.inc + + +caps.drop all +# machine-id +net none +no3d +nodbus +nodvd +nogroups +nonewprivs +noroot +notv +nou2f +novideo +protocol unix +seccomp +shell none +tracelog + +disable-mnt +private-bin bash,nyamp +private-cache +private-dev +private-etc fonts,machine-id +# private-etc asound.conf,fonts,machine-id,pulse +private-tmp + +memory-deny-write-execute diff --git a/profiles/objects-in-space.profile b/profiles/objects-in-space.profile new file mode 100644 index 0000000..c8d89ef --- /dev/null +++ b/profiles/objects-in-space.profile @@ -0,0 +1,22 @@ +# This file is overwritten after every install/update +# Persistent local customizations +include objects-in-space.local +# Persistent global definitions +include globals.local + +noblacklist ${HOME}/Documents +noblacklist ${HOME}/Documents/ObjectsInSpace + +mkdir ${HOME}/Documents +mkdir ${HOME}/Documents/ObjectsInSpace +whitelist ${HOME}/Documents/ObjectsInSpace +whitelist ${HOME}/games/Objects In Space +read-only ${HOME}/games/Objects In Space + +private-etc asound.conf,group,localtime,machine-id,passwd,pulse + +ignore memory-deny-write-execute + +ignore noexec ${HOME} + +include generic-game.inc diff --git a/profiles/okular.local b/profiles/okular.local new file mode 100644 index 0000000..0252f33 --- /dev/null +++ b/profiles/okular.local @@ -0,0 +1,17 @@ +ignore noblacklist ${HOME}/.cache/okular +ignore noblacklist ${HOME}/.kde/share/apps/okular +ignore noblacklist ${HOME}/.kde/share/config/okularpartrc +ignore noblacklist ${HOME}/.kde/share/config/okularrc +ignore noblacklist ${HOME}/.kde4/share/apps/okular +ignore noblacklist ${HOME}/.kde4/share/config/okularpartrc +ignore noblacklist ${HOME}/.kde4/share/config/okularrc + +net none +# no3d +nodbus +# # seccomp breaks integrated file manager on kde applications +# # due to syscall name_to_handle_at +seccomp !name_to_handle_at + +private-cache +private-tmp diff --git a/profiles/openmw-launcher.profile b/profiles/openmw-launcher.profile new file mode 100644 index 0000000..f922019 --- /dev/null +++ b/profiles/openmw-launcher.profile @@ -0,0 +1,4 @@ +# This file is overwritten after every install/update + +# Redirect +include openmw.profile diff --git a/profiles/openmw.profile b/profiles/openmw.profile new file mode 100644 index 0000000..db331ca --- /dev/null +++ b/profiles/openmw.profile @@ -0,0 +1,30 @@ +# This file is overwritten after every install/update +# Persistent local customizations +include openmw.local +# Persistent global definitions +include globals.local + +noblacklist ${HOME}/.config/openmw-wizardrc +noblacklist ${HOME}/.config/openmw +noblacklist ${HOME}/.local/share/openmw + +include whitelist-common.inc + +whitelist ${HOME}/.config +mkfile ${HOME}/.config/openmw-wizardrc +whitelist ${HOME}/.config/openmw-wizardrc +mkdir ${HOME}/.config/openmw +whitelist ${HOME}/.config/openmw +mkdir ${HOME}/.local/share/openmw +whitelist ${HOME}/.local/share/openmw +whitelist ${HOME}/games/Morrowind +read-only ${HOME}/games/Morrowind + +protocol unix,netlink +seccomp !name_to_handle_at + +private-etc asound.conf,group,localtime,machine-id,openmw,pulse + +ignore memory-deny-write-execute + +include generic-game.inc diff --git a/profiles/openrct2.profile b/profiles/openrct2.profile new file mode 100644 index 0000000..8c50325 --- /dev/null +++ b/profiles/openrct2.profile @@ -0,0 +1,19 @@ +# This file is overwritten after every install/update +# Persistent local customizations +include openrct2.local +# Persistent global definitions +include globals.local + +noblacklist ${HOME}/.config/OpenRCT2 +noblacklist ${HOME}/.local/share/OpenRCT2 + +mkdir ${HOME}/.config/OpenRCT2 +whitelist ${HOME}/.config/OpenRCT2 +whitelist ${HOME}/games/RollerCoaster Tycoon 2 +read-only ${HOME}/games/RollerCoaster Tycoon 2 + +seccomp !name_to_handle_at + +ignore memory-deny-write-execute + +include generic-game.inc diff --git a/profiles/palemoon.local b/profiles/palemoon.local new file mode 100644 index 0000000..b01601e --- /dev/null +++ b/profiles/palemoon.local @@ -0,0 +1,24 @@ +ignore noblacklist ${HOME}/.cache/moonchild productions/pale moon +ignore mkdir ${HOME}/.cache/moonchild productions/pale moon +ignore whitelist ${HOME}/.cache/moonchild productions/pale moon + +# # machine-id without private-etc/pulse causes pulseaudio segfaults +# # machine-id breaks audio +# machine-id + +private-bin palemoon,bash + +# # private-etc requires machine-id or pulse else pulseaudio segafaults +# # private-etc requires both machine-id and pulse for pulseaudio support +# # private-etc requires machine-id for alsa audio support +# Use for pulseaudio +# private-etc asound.conf,machine-id,pulse,resolv.conf +# Use for alsa +# private-etc asound.conf,group,machine-id,resolv.conf +# Use for broken audio +# private-etc asound.conf,pulse,resolv.conf +private-etc resolv.conf + +# # Use with hardened-malloc package +# Causes segfaults on multi-line text fields +#env LD_PRELOAD=/usr/lib/libhardened_malloc.so diff --git a/profiles/pandora-first-contact.profile b/profiles/pandora-first-contact.profile new file mode 100644 index 0000000..e9303b2 --- /dev/null +++ b/profiles/pandora-first-contact.profile @@ -0,0 +1,18 @@ +# This file is overwritten after every install/update +# Persistent local customizations +include pandora.local +# Persistent global definitions +include globals.local + +noblacklist ${HOME}/.config/Proxy Studios +noblacklist ${HOME}/.config/Proxy Studios/Pandora + +mkdir ${HOME}/.config/Proxy Studios +mkdir ${HOME}/.config/Proxy Studios/Pandora +whitelist ${HOME}/.config/Proxy Studios/Pandora +whitelist ${HOME}/games/Pandora - First Contact +read-only ${HOME}/games/Pandora - First Contact + +ignore noexec ${HOME} + +include generic-game-networked.inc diff --git a/profiles/poi.local b/profiles/poi.local new file mode 100644 index 0000000..4efe315 --- /dev/null +++ b/profiles/poi.local @@ -0,0 +1,9 @@ +nou2f +shell none + +# memory-deny-write-execute +private-bin poi,bash + +# # Use with hardened-malloc package +# # Breaks smolbote +# env LD_PRELOAD=/usr/lib/libhardened_malloc.so diff --git a/profiles/qtox.local b/profiles/qtox.local new file mode 100644 index 0000000..45bd4c7 --- /dev/null +++ b/profiles/qtox.local @@ -0,0 +1,23 @@ +# # qtox alsa audio will work with ipc-namespace, +# # but it hogs the alsa device from other applications +ignore ipc-namespace + +# # Breaks systray support +ignore nodbus + +# # qtox can make use of a webcam for calls +# # comment this if you intend to do so +novideo + +# # seccomp breaks integrated file manager on kde applications +# # due to syscall name_to_handle_at +seccomp !name_to_handle_at + +# # mdwe breaks qtox +ignore memory-deny-write-execute + +private-bin qtox,dbus-launch +private-etc asound.conf,fonts,group,ld.so.cache,localtime,machine-id,passwd,pulse,resolv.conf + +# # Use with hardened-malloc package +env LD_PRELOAD=/usr/lib/libhardened_malloc.so diff --git a/profiles/renpy.profile b/profiles/renpy.profile new file mode 100644 index 0000000..f4b2c7f --- /dev/null +++ b/profiles/renpy.profile @@ -0,0 +1,18 @@ +# This file is overwritten after every install/update +# Persistent local customizations +include renpy.local +# Persistent global definitions +include globals.local + +noblacklist ${HOME}/.renpy + +mkdir ${HOME}/.renpy +whitelist ${HOME}/.renpy +whitelist ${HOME}/games +read-only ${HOME}/games + +ignore memory-deny-write-execute + +ignore noexec ${HOME} + +include generic-game.inc diff --git a/profiles/rtv.profile b/profiles/rtv.profile new file mode 100644 index 0000000..c10cc15 --- /dev/null +++ b/profiles/rtv.profile @@ -0,0 +1,58 @@ +# This file is overwritten after every install/update +# Persistent local customizations +include rtv.local +# Persistent global definitions +include globals.local + +blacklist /tmp/.X11-unix + +noblacklist ${PATH}/python2* +noblacklist /usr/include/python2* +noblacklist /usr/lib/python2* +noblacklist /usr/local/lib/python2* +noblacklist /usr/share/python2* +noblacklist ${PATH}/python3* +noblacklist /usr/include/python3* +noblacklist /usr/lib/python3* +noblacklist /usr/local/lib/python3* +noblacklist /usr/share/python3* +noblacklist ${HOME}/.config/rtv + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-passwdmgr.inc +include disable-programs.inc +include disable-xdg.inc + +mkdir ${HOME}/.config/rtv +whitelist ${HOME}/.config/rtv + +caps.drop all +ipc-namespace +machine-id +netfilter +no3d +nodbus +nodvd +nogroups +nonewprivs +noroot +nosound +notv +nou2f +novideo +protocol inet,inet6 +seccomp +shell none +tracelog + +disable-mnt +# private-bin rtv,python +private-cache +private-dev +private-etc ca-certificates,resolv.conf,ssl +private-tmp + +# memory-deny-write-execute diff --git a/profiles/sanctuaryrpg-black-edition.profile b/profiles/sanctuaryrpg-black-edition.profile new file mode 100644 index 0000000..ede876f --- /dev/null +++ b/profiles/sanctuaryrpg-black-edition.profile @@ -0,0 +1,12 @@ +# This file is overwritten after every install/update +# Persistent local customizations +include sanctuaryrpg-black-edition.local +# Persistent global definitions +include globals.local + +noblacklist ${HOME}/.local/share/wineprefixes/SanctuaryRPG +whitelist ${HOME}/.local/share/wineprefixes/SanctuaryRPG + +ignore memory-deny-write-execute + +include generic-wine-game.inc diff --git a/profiles/simcity4.profile b/profiles/simcity4.profile new file mode 100644 index 0000000..99cfe29 --- /dev/null +++ b/profiles/simcity4.profile @@ -0,0 +1,14 @@ +# This file is overwritten after every install/update +# Persistent local customizations +include simcity4.local +# Persistent global definitions +include globals.local + +noblacklist ${HOME}/.local/share/wineprefixes/SimCity4 +whitelist ${HOME}/.local/share/wineprefixes/SimCity4 + +seccomp !name_to_handle_at + +ignore memory-deny-write-execute + +include generic-wine-game.inc diff --git a/profiles/singularity.profile b/profiles/singularity.profile new file mode 100644 index 0000000..e1785eb --- /dev/null +++ b/profiles/singularity.profile @@ -0,0 +1,20 @@ +# This file is overwritten after every install/update +# Persistent local customizations +include singularity.local +# Persistent global definitions +include globals.local + +noblacklist ${PATH}/python2* +noblacklist /usr/include/python2* +noblacklist /usr/lib/python2* +noblacklist /usr/local/lib/python2* +noblacklist /usr/share/python2 + +noblacklist ${HOME}/.endgame + +mkdir ${HOME}/.endgame +whitelist ${HOME}/.endgame + +ignore memory-deny-write-execute + +include generic-game.inc diff --git a/profiles/sqlitebrowser.local b/profiles/sqlitebrowser.local new file mode 100644 index 0000000..4055e3e --- /dev/null +++ b/profiles/sqlitebrowser.local @@ -0,0 +1,13 @@ +noblacklist ${HOME}/.moonchild productions/pale moon +noblacklist ${HOME}/.mozilla + +# # No network thanks. +ignore netfilter +net none +protocol unix + +# # seccomp breaks integrated file manager on kde applications +# # due to syscall name_to_handle_at +seccomp !name_to_handle_at + +ignore memory-deny-write-execute diff --git a/profiles/star-citizen.profile b/profiles/star-citizen.profile new file mode 100644 index 0000000..8ac18e0 --- /dev/null +++ b/profiles/star-citizen.profile @@ -0,0 +1,27 @@ +# This file is overwritten after every install/update +# Persistent local customizations +include star-citizen.local +# Persistent global definitions +include globals.local + +noblacklist ${HOME}/.local/share/wineprefixes/StarCitizen +whitelist ${HOME}/.local/share/wineprefixes/StarCitizen + +# Star Citizen requires noroot to access Newtonsoft.Json when usign DXVK +ignore noroot + +# Star Citizen requires netlink for the game to connect to the server +protocol unix,inet,inet6,netlink + +# Star Citizen requires the ptrace syscall for the launcher to function +seccomp !name_to_handle_at,!ptrace + +# Star Citizen requires ca-certificates and ssl for the launcher to connect to the server +private-etc asound.conf,ca-certificates,group,localtime,machine-id,passwd,pulse,resolv.conf,ssl + +ignore memory-deny-write-execute + +# Star Citizen requires exec ${HOME} or the launcher will crash +ignore noexec ${HOME} + +include generic-wine-game-networked.inc diff --git a/profiles/starbound.profile b/profiles/starbound.profile new file mode 100644 index 0000000..36e59dd --- /dev/null +++ b/profiles/starbound.profile @@ -0,0 +1,20 @@ +# This file is overwritten after every install/update +# Persistent local customizations +include starbound.local +# Persistent global definitions +include globals.local + +whitelist ${HOME}/games/Starbound +read-only ${HOME}/games/Starbound +mkdir ${HOME}/games/Starbound/game/storage +read-write ${HOME}/games/Starbound/game/storage + +protocol unix,inet,inet6,netlink +# # Starbound requires syscall name_to_handle_at +seccomp !name_to_handle_at + +ignore memory-deny-write-execute + +ignore noexec ${HOME} + +include generic-game-networked.inc diff --git a/profiles/stardew-valley.profile b/profiles/stardew-valley.profile new file mode 100644 index 0000000..6f35c6c --- /dev/null +++ b/profiles/stardew-valley.profile @@ -0,0 +1,25 @@ +# This file is overwritten after every install/update +# Persistent local customizations +include stardew-valley.local +# Persistent global definitions +include globals.local + +noblacklist ${HOME}/.config/StardewValley + +mkdir ${HOME}/.config/StardewValley +whitelist ${HOME}/.config/StardewValley +whitelist ${HOME}/games/Stardew Valley +# # read-only breaks mods +#read-only ${HOME}/games/Stardew Valley + + +protocol unix,inet,inet6,netlink +# # Unknown seccomp rule breaks SMAPI //FIXME +#seccomp !name_to_handle_at +ignore seccomp + +ignore memory-deny-write-execute + +ignore noexec ${HOME} + +include generic-game-networked.inc diff --git a/profiles/start-tor-browser.local b/profiles/start-tor-browser.local new file mode 100644 index 0000000..b04636f --- /dev/null +++ b/profiles/start-tor-browser.local @@ -0,0 +1,3 @@ +noblacklist ${HOME}/applications/tor-browser_en-US + +whitelist ${HOME}/applications/tor-browser_en-US diff --git a/profiles/strawberry.profile b/profiles/strawberry.profile new file mode 100644 index 0000000..cf3da43 --- /dev/null +++ b/profiles/strawberry.profile @@ -0,0 +1,45 @@ +# This file is overwritten after every install/update +# Persistent local customizations +include strawberry.local +# Persistent global definitions +include globals.local + +#noblacklist ${HOME}/.cache/strawberry +noblacklist ${HOME}/.config/strawberry +noblacklist ${HOME}/.local/share/strawberry +noblacklist ${MUSIC} +#whitelist ${HOME}/.cache/strawberry +whitelist ${HOME}/.config/strawberry +whitelist ${HOME}/.local/share/strawberry +whitelist ${MUSIC} + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-passwdmgr.inc +include disable-programs.inc +include disable-xdg.inc + +include whitelist-var-common.inc +include whitelist-common.inc + +caps.drop all +#net none +netfilter +nonewprivs +noroot +notv +nou2f +novideo +protocol unix,inet,inet6 +# blacklisting of ioprio_set system calls breaks strawberry +seccomp !ioprio +shell none +tracelog + +# disable-mnt +private-cache +private-dev +private-etc asound.conf,group,localtime,machine-id,pulse,resolv.conf +private-tmp diff --git a/profiles/tome4.profile b/profiles/tome4.profile new file mode 100644 index 0000000..7a6e3b4 --- /dev/null +++ b/profiles/tome4.profile @@ -0,0 +1,21 @@ +# This file is overwritten after every install/update +# Persistent local customizations +include tome4.local +# Persistent global definitions +include globals.local + +noblacklist ${PATH}/lua* +noblacklist /usr/lib/lua +noblacklist /usr/include/lua* +noblacklist /usr/share/lua +noblacklist ${HOME}/.t4-engine + +mkdir ${HOME}/.t-engine +whitelist ${HOME}/.t-engine + +protocol unix,netlink +seccomp !name_to_handle_at + +ignore memory-deny-write-execute + +include generic-game.inc diff --git a/profiles/toxic.profile b/profiles/toxic.profile new file mode 100644 index 0000000..32254e7 --- /dev/null +++ b/profiles/toxic.profile @@ -0,0 +1,54 @@ +# This file is overwritten after every install/update +# Persistent local customizations +include toxic.local +# Persistent global definitions +include globals.local + +noblacklist ${HOME}/.config/tox +# noblacklist ${HOME}/.gnupg + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-passwdmgr.inc +include disable-programs.inc +include disable-xdg.inc + +mkdir ${HOME}/.config/tox +whitelist ${DOWNLOADS} +whitelist ${HOME}/.config/tox +# whitelist ${HOME}/.gnupg +# read-only ${HOME}/.gnupg +include whitelist-common.inc +include whitelist-var-common.inc + +caps.drop all +# # alsa audio will work with ipc-namespace, +# # but it hogs the alsa device from other applications +ignore ipc-namespace +netfilter +no3d +nodbus +nodvd +nogroups +nonewprivs +noroot +notv +nou2f +novideo +protocol unix,inet,inet6 +seccomp +shell none +tracelog + +disable-mnt +private-bin toxic +# private-bin toxic,gpg,pinentry-qt +private-cache +private-etc asound.conf,group,localtime,machine-id,resolv.conf +private-dev +private-tmp + +memory-deny-write-execute +# writable-run-user diff --git a/profiles/vambrace-cold-soul.profile b/profiles/vambrace-cold-soul.profile new file mode 100644 index 0000000..d97a31d --- /dev/null +++ b/profiles/vambrace-cold-soul.profile @@ -0,0 +1,24 @@ +# This file is overwritten after every install/update +# Persistent local customizations +include vambrace-cold-soul.local +# Persistent global definitions +include globals.local + +noblacklist ${HOME}/.config/unity3d +noblacklist ${HOME}/.config/unity3d/DevespressoGames +noblacklist ${HOME}/.config/unity3d/DevespressoGames/VambraceColdSoul + +mkdir ${HOME}/.config/unity3d +mkdir ${HOME}/.config/unity3d/DevespressoGames +mkdir ${HOME}/.config/unity3d/DevespressoGames/VambraceColdSoul +whitelist ${HOME}/.config/unity3d/DevespressoGames/VambraceColdSoul +whitelist ${HOME}/games/Vambrace - Cold Soul +read-only ${HOME}/games/Vambrace - Cold Soul + +seccomp !name_to_handle_at + +ignore memory-deny-write-execute + +ignore noexec ${HOME} + +include generic-game.inc diff --git a/profiles/vlc.local b/profiles/vlc.local new file mode 100644 index 0000000..29c9ed8 --- /dev/null +++ b/profiles/vlc.local @@ -0,0 +1,10 @@ +ignore noblacklist ${HOME}/.cache/vlc + +# # alsa audio will work with ipc-namespace, +# # but it hogs the alsa device from other applications +ignore ipc-namespace +nodbus + +# # seccomp breaks integrated file manager on kde applications +# # due to syscall name_to_handle_at +seccomp !name_to_handle_at diff --git a/profiles/w3m.local b/profiles/w3m.local new file mode 100644 index 0000000..af12ef0 --- /dev/null +++ b/profiles/w3m.local @@ -0,0 +1,11 @@ +mkdir ${HOME}/.w3m +whitelist ${HOME}/.w3m + +ipc-namespace +machine-id +nodbus +protocol inet,inet6 + +disable-mnt + +memory-deny-write-execute diff --git a/profiles/warframe.profile b/profiles/warframe.profile new file mode 100644 index 0000000..02e12fe --- /dev/null +++ b/profiles/warframe.profile @@ -0,0 +1,21 @@ +# This file is overwritten after every install/update +# Persistent local customizations +include warframe.local +# Persistent global definitions +include globals.local + +noblacklist ${HOME}/.local/share/wineprefixes/Warframe +whitelist ${HOME}/.local/share/wineprefixes/Warframe + +# Warframe requires noroot if using DXVK +ignore noroot + +# warframe requires the ptrace syscall to verify the game files +seccomp !name_to_handle_at,!ptrace + +ignore memory-deny-write-execute + +# Warframe requires exec /tmp or the launcher will during update check +ignore noexec /tmp + +include generic-wine-game-networked.inc diff --git a/profiles/weechat.local b/profiles/weechat.local new file mode 100644 index 0000000..ca330f7 --- /dev/null +++ b/profiles/weechat.local @@ -0,0 +1,40 @@ +noblacklist ${PATH}/python2* +noblacklist /usr/include/python2* +noblacklist /usr/lib/python2* +noblacklist /usr/local/lib/python2* +noblacklist /usr/share/python2* +noblacklist ${PATH}/python3* +noblacklist /usr/include/python3* +noblacklist /usr/lib/python3* +noblacklist /usr/local/lib/python3* +noblacklist /usr/share/python3* + +include disable-exec.inc +include disable-interpreters.inc +include disable-passwdmgr.inc +include disable-programs.inc +include disable-xdg.inc + +whitelist ${HOME}/.weechat + +# # alsa audio will work with ipc-namespace, +# # but it hogs the alsa device from other applications +ignore ipc-namespace +machine-id +no3d +nodbus +nodvd +nogroups +# nosound +nou2f +novideo +shell none +tracelog + +disable-mnt +# private-bin +private-dev +private-etc asound.conf,ca-certificates,machine-id,resolv.conf,ssl +private-tmp + +# memory-deny-write-execute diff --git a/profiles/wesnoth.local b/profiles/wesnoth.local new file mode 100644 index 0000000..ca69a8c --- /dev/null +++ b/profiles/wesnoth.local @@ -0,0 +1,37 @@ +noblacklist ${PATH}/lua* +noblacklist /usr/lib/lua +noblacklist /usr/include/lua* +noblacklist /usr/share/lua +noblacklist ${PATH}/python2* +noblacklist /usr/include/python2* +noblacklist /usr/lib/python2* +noblacklist /usr/local/lib/python2* +noblacklist /usr/share/python2* + +ignore noblacklist ${HOME}/.cache/wesnoth +ignore mkdir ${HOME}/.cache/wesnoth +ignore whitelist ${HOME}/.cache/wesnoth + +include disable-exec.inc +include disable-xdg.inc + +# # alsa audio will work with ipc-namespace, +# # but it hogs the alsa device from other applications +ignore ipc-namespace +machine-id +ignore net +netfilter +ignore no3d +nodbus +nogroups +novideo +protocol unix,inet,inet6 +shell none +tracelog + +disable-mnt +private-bin wesnoth +private-cache +private-etc asound.conf,fonts,group,localtime,machine-id,pulse,resolv.conf + +ignore memory-deny-write-execute diff --git a/profiles/wget.local b/profiles/wget.local new file mode 100644 index 0000000..843ded4 --- /dev/null +++ b/profiles/wget.local @@ -0,0 +1,3 @@ +machine-id +nodbus +protocol inet,inet6 diff --git a/profiles/wine.local b/profiles/wine.local new file mode 100644 index 0000000..d3210eb --- /dev/null +++ b/profiles/wine.local @@ -0,0 +1,16 @@ +noblacklist ${HOME}/.config/q4wine +noblacklist ${HOME}/.local/share/wineprefixes + +include disable-passwdmgr.inc + +mkdir ${HOME}/.wine +mkdir ${HOME}/.config/q4wine +mkdir ${HOME}/.local/share/wineprefixes +whitelist ${HOME}/.wine +whitelist ${HOME}/.config/q4wine +whitelist ${HOME}/.local/share/wineprefixes + +machine-id + +private-dev +private-tmp diff --git a/profiles/x4-foundations.profile b/profiles/x4-foundations.profile new file mode 100644 index 0000000..9ad80f9 --- /dev/null +++ b/profiles/x4-foundations.profile @@ -0,0 +1,22 @@ +# This file is overwritten after every install/update +# Persistent local customizations +include x4-foundations.local +# Persistent global definitions +include globals.local + +noblacklist ${HOME}/.config/EgoSoft +noblacklist ${HOME}/.config/EgoSoft/X4 + +mkdir ${HOME}/.config/EgoSoft +mkdir ${HOME}/.config/EgoSoft/X4 +whitelist ${HOME}/.config/EgoSoft/X4 +whitelist ${HOME}/games/X-4 Foundations +read-only ${HOME}/games/X-4 Foundations + +seccomp !name_to_handle_at + +ignore memory-deny-write-execute + +ignore noexec ${HOME} + +include generic-game.inc diff --git a/profiles/xcom-enemy-unknown.profile b/profiles/xcom-enemy-unknown.profile new file mode 100644 index 0000000..bc494b3 --- /dev/null +++ b/profiles/xcom-enemy-unknown.profile @@ -0,0 +1,17 @@ +# This file is overwritten after every install/update +# Persistent local customizations +include xcom-enemy-unknown.local +# Persistent global definitions +include globals.local + +noblacklist ${HOME}/.local/share/wineprefixes/XCOMEnemyUnknown +whitelist ${HOME}/.local/share/wineprefixes/XCOMEnemyUnknown + +# XCOM requires the ptrace syscall or the launcher will crash +seccomp !name_to_handle_at,!ptrace + +ignore memory-deny-write-execute + +ignore noexec ${HOME} + +include generic-wine-game.inc diff --git a/profiles/xenonauts.profile b/profiles/xenonauts.profile new file mode 100644 index 0000000..851aadb --- /dev/null +++ b/profiles/xenonauts.profile @@ -0,0 +1,14 @@ +# This file is overwritten after every install/update +# Persistent local customizations +include xenonauts.local +# Persistent global definitions +include globals.local + +noblacklist ${HOME}/.local/share/Goldhawk Interactive + +mkdir ${HOME}/.local/share/Goldhawk Interactive +whitelist ${HOME}/.local/share/Goldhawk Interactive +whitelist ${HOME}/games/Xenonauts +read-only ${HOME}/games/Xenonauts + +include generic-game.inc diff --git a/profiles/youtube-dl.local b/profiles/youtube-dl.local new file mode 100644 index 0000000..0576904 --- /dev/null +++ b/profiles/youtube-dl.local @@ -0,0 +1,6 @@ +blacklist /tmp/.X11-unix + +protocol inet,inet6 + +# # None of that pip garbage +noexec ${HOME} diff --git a/profiles/ziggurat.profile b/profiles/ziggurat.profile new file mode 100644 index 0000000..8bf725f --- /dev/null +++ b/profiles/ziggurat.profile @@ -0,0 +1,26 @@ +# This file is overwritten after every install/update +# Persistent local customizations +include ziggurat.local +# Persistent global definitions +include globals.local + +noblacklist ${HOME}/.config/unity3d +noblacklist ${HOME}/.config/unity3d/Milkstone Studios +noblacklist ${HOME}/.config/unity3d/Milkstone Studios/Ziggurat +noblacklist ${HOME}/.nv + +mkdir ${HOME}/.config/unity3d +mkdir ${HOME}/.config/unity3d/Milkstone Studios +mkdir ${HOME}/.config/unity3d/Milkstone Studios/Ziggurat +whitelist ${HOME}/.config/unity3d/Milkstone Studios/Ziggurat +whitelist ${HOME}/games/Ziggurat +read-only ${HOME}/games/Ziggurat + +protocol unix,netlink +seccomp !name_to_handle_at + +ignore memory-deny-write-execute + +ignore noexec ${HOME} + +include generic-game.inc |